US10372904B2ActiveUtilityA1

Cost prioritized evaluations of indicators of compromise

96
Assignee: TANIUM INCPriority: Mar 8, 2016Filed: Jul 20, 2016Granted: Aug 6, 2019
Est. expiryMar 8, 2036(~9.7 yrs left)· nominal 20-yr term from priority
H04L 41/12H04L 41/0894H04L 63/1441H04L 63/1408H04L 41/0813G06F 21/552H04L 63/1425G06F 21/577H04L 67/141G06F 2221/034H04L 43/10G06F 21/554
96
PatentIndex Score
27
Cited by
109
References
36
Claims

Abstract

A method for evaluating indicators of compromise (IOCs) is performed at a device having one or more processors and memory. The method includes receiving respective specifications of a plurality of IOCs, wherein the respective specifications of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC. The method further includes dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, and determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which the plurality of IOCs have been received at the device.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method of threat management in a network of machines, the method comprising:
 at a device having one or more processors and memory, wherein the device is a server or a client machine within the network of machines, and the device is separated from external networks by one or more firewalls:
 receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC; 
 dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs; 
 determining whether a threat is present in the network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device; 
 determining modified respective costs associated with the one or more of the plurality of IOCs; 
 dynamically determining a revised order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, including the modified respective costs associated with the one or more IOCs; and 
 determining whether a threat is present in the network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the revised order. 
 
 
     
     
       2. The method of  claim 1 , wherein determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order further includes:
 evaluating the plurality of IOCs locally in accordance with the dynamically determined order; and 
 determining whether a threat is present when at least one of the plurality of IOCs has been evaluated. 
 
     
     
       3. The method of  claim 1 , wherein determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order further includes:
 sending queries into a linear communication orbit comprising a sequence of nodes, to collect IOC evaluation results for the plurality of IOCs in accordance with the dynamically determined order; and 
 determining whether a threat is present when evaluation results for at least one of the plurality of IOCs has been received from the nodes in the linear communication orbit. 
 
     
     
       4. The method of  claim 1 , further comprising:
 upon detection of a threat, automatically performing one or more remedial actions to address the detected threat. 
 
     
     
       5. The method of  claim 1 , including:
 receiving user input modifying the respective costs associated with one or more of the plurality of IOCs; and 
 in response to receiving the user input, modifying the respective costs associated with the one or more of the plurality of IOCs. 
 
     
     
       6. The method of  claim 1 , wherein dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs includes:
 ordering the plurality of IOCs based on increasing costs. 
 
     
     
       7. The method of  claim 1 , including:
 receiving a cost quota for evaluating the plurality of IOCs; and 
 determining which ones of the plurality of IOCs to evaluate based on the cost quota and the dynamically determined order for evaluating the plurality of IOCs. 
 
     
     
       8. The method of  claim 1 , including:
 determining a respective frequency for evaluating a respective IOC of the plurality of IOCs based on the respective cost associated with the respective IOC and cost criteria received for evaluating the plurality of IOCs. 
 
     
     
       9. The method of  claim 1 , wherein a first IOC of the plurality of IOCs includes a plurality of sub-components, and wherein the respective cost associated with evaluating the first IOC includes a sum of respective sub-costs associated with evaluating the plurality of sub-components of the first IOC. 
     
     
       10. The method of  claim 1 , including:
 maintaining an index for looking up local results for one or more indicator items, wherein a cost associated with looking up a local result for a respective indicator item from the index is lower than a cost associated with evaluating the respective indicator item in real-time at the device. 
 
     
     
       11. The method of  claim 10 , including:
 detecting that one or more of the plurality of IOCs include indicator items present in the index; 
 wherein determining modified respective costs associated with the one or more of the plurality of IOCs further includes:
 in response to detecting that one or more of the plurality of IOCs include at least one indicator item present in the index, modifying the respective costs associated with the one or more of the plurality of IOCs in accordance with the cost for looking up the at least one indicator item in the index. 
 
 
     
     
       12. A system of threat management in a network of machines, wherein:
 the system is a server or a client machine within the network of machines, and 
 the system comprises:
 one or more processors; and 
 memory storing instructions that when executed by the one or more processors cause the processors to perform operations including:
 receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC; 
 dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs; 
 determining whether a threat is present in the network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device; 
 determining modified respective costs associated with the one or more of the plurality of IOCs; 
 dynamically determining a revised order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, including the modified respective costs associated with the one or more IOCs; and 
 determining whether a threat is present in the network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the revised order. 
 
 
 
     
     
       13. The system of  claim 12 , wherein determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order further includes:
 evaluating the plurality of IOCs locally in accordance with the dynamically determined order; and 
 determining whether a threat is present when at least one of the plurality of IOCs has been evaluated. 
 
     
     
       14. The system of  claim 12 , wherein determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order further includes:
 sending queries into a linear communication orbit comprising a sequence of nodes, to collect IOC evaluation results for the plurality of IOCs in accordance with the dynamically determined order; and 
 determining whether a threat is present when evaluation results for at least one of the plurality of IOCs has been received from the nodes in the linear communication orbit. 
 
     
     
       15. The system of  claim 12 , wherein the operations further include: upon detection of a threat, automatically performing one or more remedial actions to address the detected threat. 
     
     
       16. The system of  claim 12 , wherein the operations include:
 receiving user input modifying the respective costs associated with one or more of the plurality of IOCs; and 
 in response to receiving the user input, modifying the respective costs associated with the one or more of the plurality of IOCs. 
 
     
     
       17. The system of  claim 12 , wherein dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs includes ordering the plurality of IOCs based on increasing costs. 
     
     
       18. The system of  claim 12 , wherein the operations include:
 receiving a cost quota for evaluating the plurality of IOCs; and 
 determining which ones of the plurality of IOCs to evaluate based on the cost quota and the dynamically determined order for evaluating the plurality of IOCs. 
 
     
     
       19. The system of  claim 12 , wherein the operations include:
 determining a respective frequency for evaluating a respective IOC of the plurality of IOCs based on the respective cost associated with the respective IOC and cost criteria received for evaluating the plurality of IOCs. 
 
     
     
       20. The system of  claim 12 , wherein a first IOC of the plurality of IOCs includes a plurality of sub-components, and wherein the respective cost associated with evaluating the first IOC includes a sum of respective sub-costs associated with evaluating the plurality of sub-components of the first IOC. 
     
     
       21. The system of  claim 12 , wherein the operations include: maintaining an index for looking up local results for one or more indicator items, wherein a cost associated with looking up a local result for a respective indicator item from the index is lower than a cost associated with evaluating the respective indicator item in real-time at the device. 
     
     
       22. The system of  claim 21 , wherein the operations include:
 detecting that one or more of the plurality of IOCs include indicator items present in the index; 
 wherein determining modified respective costs associated with the one or more of the plurality of IOCs further includes:
 in response to detecting that one or more of the plurality of IOCs include at least one indicator item present in the index, modifying the respective costs associated with the one or more of the plurality of IOCs in accordance with the cost for looking up the at least one indicator item in the index. 
 
 
     
     
       23. A non-transitory computer-readable medium storing instructions that when executed by one or more processors cause the processors to perform operations comprising:
 receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC; 
 dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs; 
 determining whether a threat is present in a network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device; 
 determining modified respective costs associated with the one or more of the plurality of IOCs; 
 dynamically determining a revised order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, including the modified respective costs associated with the one or more IOCs; and 
 determining whether a threat is present in the network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the revised order. 
 
     
     
       24. The non-transitory computer-readable medium of  claim 23 , wherein determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order further includes:
 evaluating the plurality of IOCs locally in accordance with the dynamically determined order; and 
 determining whether a threat is present when at least one of the plurality of IOCs has been evaluated. 
 
     
     
       25. The non-transitory computer-readable medium of  claim 23 , wherein determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order further includes:
 sending queries into a linear communication orbit comprising a sequence of nodes, to collect IOC evaluation results for the plurality of IOCs in accordance with the dynamically determined order; and 
 determining whether a threat is present when evaluation results for at least one of the plurality of IOCs has been received from the nodes in the linear communication orbit. 
 
     
     
       26. The non-transitory computer-readable medium of  claim 23 , wherein the operations further include: upon detection of a threat, automatically performing one or more remedial actions to address the detected threat. 
     
     
       27. The non-transitory computer-readable medium of  claim 23 , wherein the operations include:
 receiving user input modifying the respective costs associated with one or more of the plurality of IOCs; and 
 in response to receiving the user input, modifying the respective costs associated with the one or more of the plurality of IOCs. 
 
     
     
       28. The non-transitory computer-readable medium of  claim 23 , wherein dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs includes ordering the plurality of IOCs based on increasing costs. 
     
     
       29. The non-transitory computer-readable medium of  claim 23 , wherein the operations include:
 receiving a cost quota for evaluating the plurality of IOCs; and 
 determining which ones of the plurality of IOCs to evaluate based on the cost quota and the dynamically determined order for evaluating the plurality of IOCs. 
 
     
     
       30. The non-transitory computer-readable medium of  claim 23 , wherein the operations include:
 determining a respective frequency for evaluating a respective IOC of the plurality of IOCs based on the respective cost associated with the respective IOC and cost criteria received for evaluating the plurality of IOCs. 
 
     
     
       31. The non-transitory computer-readable medium of  claim 23 , wherein a first IOC of the plurality of IOCs includes a plurality of sub-components, and wherein the respective cost associated with evaluating the first IOC includes a sum of respective sub-costs associated with evaluating the plurality of sub-components of the first IOC. 
     
     
       32. The non-transitory computer-readable medium of  claim 23 , wherein the operations include: maintaining an index for looking up local results for one or more indicator items, wherein a cost associated with looking up a local result for a respective indicator item from the index is lower than a cost associated with evaluating the respective indicator item in real-time at the device. 
     
     
       33. The non-transitory computer-readable medium of  claim 32 , wherein the operations include:
 detecting that one or more of the plurality of IOCs include indicator items present in the index; 
 wherein determining modified respective costs associated with the one or more of the plurality of IOCs further includes:
 in response to detecting that one or more of the plurality of IOCs include at least one indicator item present in the index, modifying the respective costs associated with the one or more of the plurality of IOCs in accordance with the cost for looking up the at least one indicator item in the index. 
 
 
     
     
       34. A method of threat management in a network of machines, the method comprising:
 at a device having one or more processors and memory, wherein the device is a server or a client machine within the network of machines, and the device is separated from external networks by one or more firewalls:
 receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC; 
 dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs; 
 sending queries into a linear communication orbit comprising a sequence of machines within the network of machines; 
 collecting IOC evaluation results via the linear communication orbit, from a plurality of machines in the sequence of machines, for the plurality of IOCs evaluated locally at the plurality of machines in accordance with the dynamically determined order; and 
 determining whether a threat is present in the network of machines based on the collected IOC evaluation results, evaluated locally at the plurality of machines in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device. 
 
 
     
     
       35. A system of threat management in a network of machines, wherein:
 the system is a server or a client machine within the network of machines, and the system comprises:
 one or more processors; and 
 memory storing instructions that when executed by the one or more processors cause the processors to perform operations including:
 receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC; 
 dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs; 
 sending queries into a linear communication orbit comprising a sequence of machines within the network of machines; 
 collecting IOC evaluation results via the linear communication orbit, from a plurality of machines in the sequence of machines, for the plurality of IOCs evaluated locally at the plurality of machines in accordance with the dynamically determined order; and
 determining whether a threat is present in the network of machines based on the collected IOC evaluation results, evaluated locally at the plurality of machines in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device. 
 
 
 
 
     
     
       36. A non-transitory computer-readable medium storing instructions that when executed by one or more processors cause the processors to perform operations comprising:
 receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC; 
 dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs; 
 sending queries into a linear communication orbit comprising a sequence of machines within the network of machines; 
 collecting IOC evaluation results via the linear communication orbit, from a plurality of machines in the sequence of machines, for the plurality of IOCs evaluated locally at the plurality of machines in accordance with the dynamically determined order; and 
 determining whether a threat is present in the network of machines based on the collected IOC evaluation results, evaluated locally at the plurality of machines in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.